Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:32
Static task
static1
Behavioral task
behavioral1
Sample
6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
Resource
win10v2004-20220414-en
General
-
Target
6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe
-
Size
554KB
-
MD5
94d229fc107533eb550d04b03cc41afb
-
SHA1
7b4acea67134d35d128620ae94a4dbe38287b37b
-
SHA256
6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1
-
SHA512
7b2cd57aeb97d43ac50c5d942a6bd83cbda8e0bc8f2c2f25b6a0fb150108ec5900c8cfcf1fd347f3b4f5d2b1eb9ec6bae41f12881e8927fd2130ea3ccd772ffb
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asrfivuf = "\"C:\\Windows\\gqukwbaj.exe\"" explorer.exe -
Processes:
6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exedescription pid process target process PID 852 set thread context of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 1592 set thread context of 956 1592 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\gqukwbaj.exe explorer.exe File created C:\Windows\gqukwbaj.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2020 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exepid process 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 848 vssvc.exe Token: SeRestorePrivilege 848 vssvc.exe Token: SeAuditPrivilege 848 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exeexplorer.exedescription pid process target process PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 852 wrote to memory of 1592 852 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe PID 1592 wrote to memory of 956 1592 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe explorer.exe PID 1592 wrote to memory of 956 1592 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe explorer.exe PID 1592 wrote to memory of 956 1592 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe explorer.exe PID 1592 wrote to memory of 956 1592 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe explorer.exe PID 1592 wrote to memory of 956 1592 6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe explorer.exe PID 956 wrote to memory of 2020 956 explorer.exe vssadmin.exe PID 956 wrote to memory of 2020 956 explorer.exe vssadmin.exe PID 956 wrote to memory of 2020 956 explorer.exe vssadmin.exe PID 956 wrote to memory of 2020 956 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe"C:\Users\Admin\AppData\Local\Temp\6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe"C:\Users\Admin\AppData\Local\Temp\6356a267a78aa9bb9c21b81d13586b1dc6ecec44faf6e3af2005a3ae07a611a1.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ywynugoxasijikec\01000000Filesize
554KB
MD5bf11c991683912c35bd9afcd551cc645
SHA1e20f27466a44e669bfa9171aef106eeaa14041a5
SHA2563a9ac6ca1da9c3060a45d7946da6cd42e513df398f284616ba1f30b6aabeccba
SHA512de342f71333dd324cbcc29c08d5f1b05ad1b8ea0d4c602298a36406cf863a9ffc1cb8810c2744aba02210c8758af57e9629b6abd57d9550d389d8814eefb0b1a
-
memory/852-54-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/956-69-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/956-80-0x0000000072D21000-0x0000000072D23000-memory.dmpFilesize
8KB
-
memory/956-78-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/956-75-0x0000000075251000-0x0000000075253000-memory.dmpFilesize
8KB
-
memory/956-73-0x000000000009A160-mapping.dmp
-
memory/956-71-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1592-58-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1592-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1592-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1592-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1592-65-0x000000000040A61E-mapping.dmp
-
memory/1592-55-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1592-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1592-77-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1592-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1592-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2020-79-0x0000000000000000-mapping.dmp